interesting to note:
- functions can be called with lots of spaces before parenthesis: SELECT ascii (1)
- there can be a lot of bullshit in this part and the syntax is still valid:
select(name) `bullshit bullshit bullshit`from users
- this works as well:
select`name`buuullshit from users

@hafif Excuse the late reply - didn't find time to look into the issues up to now. First of all: awesome finds! Some were caused by changes in PHP 5.3.x, some were plain bugs, one was a bug in the demo resulting from the server move - overall I had three locations to fix :)

It should be quite okay now - although I have a certain feeling that you might find more. About the DoS - I am not sure yet what to do about that. Will address it in a later release. Same for the links. Usually devs might wanna allow arbitrary HTTP(s) URLs - sometimes not. We should - as far as I can think now - include an option in the Config.ini.php to delegate the setting to the HTMLPurifier API we use under the hood.

.mario Wrote:
-------------------------------------------------------
> First of all:
> awesome finds! Some were caused by changes in PHP
> 5.3.x, some were plain bugs, one was a bug in the
> demo resulting from the server move - overall I
> had three locations to fix :)

THANKS :)

The following bypass was not so hard. And is using the shift operator <<.
The real challenge, which was extremely difficult was the fact that there are multiple onclick injection points which caused errors before the script tag is launched (It should be noted that this difficulty might be limited to the scope of the demo application).

But I managed to get everyone satisfied:
http://demo.phpids.org/?test=%0d%2ba%0d>>setTimeout(a(1).a%2ba(1).b%2ba(1).c,1000);%0d'1';"1"="1";a="1\"\n<a name=a a=con b=fi c=rm(120) >1<<1\'1'1\"1";